This sort of thing is why Debian is so often seen as a realm of knee jerk lunatics. Debian isn't keeping up with features Chrome needs to be more resistant to browser exploits (which are used to install ACTUAL spyware) and the answer is "Chrome gathers statistics on how it's used so it's evil and we don't care if it breaks". WTF?
Unfortunately the amount is fixed in dollar terms and does not automatically adjust for inflation. When that exemption was set it was considered a large amount. However currently it's $97,000. The dollar is not an especially strong currency. That's about 60k GBP+. You can earn more than that just by being a decent computer programmer in London. And of course the OPs kids don't have to worry about the threshold today but rather in 20 years. There is zero incentive for Congress to be lenient here because now they have FATCA they can actually collect tax from anywhere in the world - it's taxation without representation which is ideal for them.
The USA charges its citizens for evacuation, unlike all other countries in the world who also evacuate their citizens from trouble zones..... for free.
Will the U.S. government pay for my travel? How much will it cost? Departure assistance is expensive. U.S. law 22 U.S.C. 2671(b) (2) (A) requires that any departure assistance be provided "on a reimbursable basis to the maximum extent practicable.” This means that evacuation costs are ultimately your responsibility; you will be asked to sign a form promising to repay the U.S. government.
These costs have bankrupted people in the past, leaving them wishing they had not been "rescued".
US citizens are in many places treated better as a result.
US citizens are becoming systematically toxic and are treated like shit as a result, especially by the financial system. FATCA is a completely insane law and has resulted in banks around the world terminating accounts and refusing to make loans just because someone is a US citizen or has a green card. And unfortunately what many don't realise is you cannot get out of US citizenship just by paying a few thousand dollars as the summary suggests. There is a crippling exit tax that forces you to pay tax on the assumption you just sold all your assets. It's a form of capital control, except one you cannot escape from due to the long arm of the US government. Even better, USA can decide that the citizenship revocation is invalid if they think it was done for tax reasons. They can just keep forcing you to pay taxes forever, if they want to. It's basically modern slavery.
My advice to the story submitter - don't do it!!. US citizenship is already dramatically worse than citizenships in other civilised countries and it's getting worse every year. In fact it's akin to a form of slavery. US citizens abroad have no functioning representation in Congress and they are routinely exploited as a result, citizenship based taxation being only one example.
Swedish and Belgian citizenship together is a perfect combination! Why would you want anything more?
The important thing about Electrolysis isn't performance, it's that it will allow them to finally sandbox. My respect for Mozilla has lessened over time (and I used to be a minor contributor, back in the early days), partly because they don't seem to care about security as much as the Chrome team do. Chrome prioritised sandboxing over many other things and is a lot more robust as a result. Firefox is still just one JS engine exploit away from total ownage of the running system.
That article says the autopilot was disconnected and "[The investigation] will help us to understand whether there was a problem with the Airbus or in the training received by flight crew in manual aircraft handling at high altitude."
In other words they don't know what happened, but at the time of the near stall the plane was no longer under the control of the auto pilot. BTW if a plane suddenly finds itself overspeeding, climbing to lose speed is the right thing to do.
Do pilots still need licenses in the age of autopilot? Well yes because machines aren't infallible.
Not quite. It's "yes" because most people would be unable to get over their fear of flying in an entirely autonomous plane, not because we need heroic pilots to override the computer when things go wrong.
Consider that about half of all aviation accidents are traced to pilot error. The percentage of crashes caused by autopilot error is zero.
Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash.
The fact that this practice is widespread in the Linux world originates from the usage of insecure FTP mirrors run by volunteer admins. There it's possible for a mirror to get hacked independently of the origin web page. A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.
A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right..... the firmware itself. To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.
BTW call a spade a spade. Equation Group == NSA TAO
The issue with Silent Circle isn't their jurisdiction. It's that their code is of deeply questionable quality. They recently had a remote code execution exploit that could be triggered just by sending a text message to their phone. It's been literally years since one of these affected mainstream software stacks, so how was that possible?
The amount of fail in that sentence is just amazing. They're a company which justifies its entire existence with security, writing software to run on a smartphone where the OS itself is written in a memory safe language (Java) and yet they are parsing overly complex data structures off the wire..... in C. That isn't just taking risks, that's playing Russian roulette over and over again. And eventually it killed them. Remote code execution via SMS - ye gods.
After learning about that exploit and more to the point, why it occurred, I will strongly recommend against using Silent Circle for anything. Nobody serious about security should be handling potentially malicious data structures in C, especially not when the rest of the text messaging app is written in Java. That's just crazy.
I think the Gemalto response seems reasonable, actually. The documents suggest they weren't doing anything more sophisticated than snarfing FTP or email transfers of key files, which Gemalto say they started phasing out in 2010. And the documents themselves say they weren't always successful.
NSA/GCHQ are not magic. They do the same kind of hacking ordinary criminals have been doing for years, just more of it and they spend more time on it. If Gemalto are now taking much better precautions over transfer of key material and the keys are being generated on air gapped networks, then it seems quite plausible that NSA/GCHQ didn't get in. Not saying they could NEVER have got in that way, but these guys are like anyone else, they take the path of least resistance.
Besides, it's sort of hard for them to do something about a hypothetical hack of their core systems that they can't detect and which isn't mentioned in the docs.
It's hilarious. For a moment I wondered if the transcript is even real. This makes Eliza look sophisticated.
Q: Which of those countries should we give backdoors to?
MR: So, I’m not gonna I mean, the way you framed the question isn’t designed to elicit a response.
AS: So you do believe then, that we should build those for other countries if they pass laws?
MR: I think we can work our way through this.
AS: I’m sure the Chinese and Russians are going to have the same opinion.
MR: I said I think we can work through this.
He seems to believe, "I think we can work through this" is an acceptable answer to a simple yes/no question. The guy doesn't even have a coherent answer to one of the most basic and obvious questions he could possibly be asked. I thought Comey did a poor job of explaining his position but this takes it to a whole other level.
Why would people not report a SIM as stolen currently? They have every incentive to. They'd need to do so, to get their old number back anyway.
But seriously, if you're a terrorist, you're not going to be fazed by just doing some street muggings to obtain cell phones first. It doesn't matter much if the cards get de-activated a day later. Heck, just point a gun at a SIM vendor and force them to activate the cards with fake data. If the vendor doesn't have the IMSI codes for every SIM in their inventory, they can't even report them as stolen.
The judicial system is, at heart, a method of resolving disputes. Sometimes those are disputes between civilians (civil suits) and sometimes they are criminal cases, disputes between people and the state.
The most obvious and easy place to start is with small claims courts. Commercial arbitration handles many disputes that would otherwise end up in small claims courts, but we don't exploit this anywhere near enough. Most people just rely on their bank to act as a dispute mediator via the credit card chargeback mechanism, but this is a one-size-fits-all solution and banks are often not good at mediating disputes. There's lots of fraud and problematic outcomes.
The place where most of the better-law-through-tech research is happening right now is the Bitcoin community, because of the general focus on decentralisation, global trade and frequent desire to avoid relying on government. So we have for example BitRated which is a platform for doing dispute mediated Bitcoin transactions, where anyone can be the dispute mediator. So you can get a fluid, international market of specialised judges who are experts in very particular types of transactions, like software contracts etc where "I didn't get software of sufficient quality" is not a dispute that makes sense to handle via a chargeback. And it can all happen over the internet.
That's a very simple example. More complex examples involve specifying a contract in the form of a computer program and then effectively having the program be the "judge". I wrote about how to implement this, again with Bitcoin, several years ago. The technology is not that complicated actually. The hard part is figuring out the right user interfaces to make it easy. Presumably only very simple and precise contracts could be managed that way, so there's still open research in how to craft these digital contracts such that you can escape back to human judgement if there's an exceptional case.
When it comes to criminal rather than commercial cases, probably the best way to apply technology to reduce costs is to allow remote lawyering. That is, you should be able to outsource your legal representation to someone who isn't physically present. They may be rather good and experienced, but just lives out in rural areas or in a country where the cost of living is cheaper. The issue here is not really technical but rather just institutional inertia.
The UK is putting its judicial system under tremendous financial pressure at the moment, to the extent that some criminal cases are just being abandoned because there's insufficient money to run them. They're (finally!) starting to experiment with allowing small claims court cases to be resolved over the phone, and also looking at decriminalising TV license violations to reduce pressure on the system. But you get the idea - the judicial system innovates extremely slowly even when being sliced to the bone. So don't hold your breath.
Snowden hasn't had any access to the NSA since he fled to Hong Kong.
However, the amazing thing about this dude is he was able to do full blown web crawls of the entire NSA and GCHQ intranets, including dumps/crawls of data he didn't have access to.... all without getting noticed or caught. He appears to have provided the journalists with what is quite literally a snapshot of their internal networks at the time he was operating. It's taking them years to go through it.
Rainbow tables only worked for GSM, which is now decades out of date. Most people are going to be connected to 3G or higher in urban areas (i.e. where all the action is), which isn't so easily hacked. Hence their interest. It's in the article, even.
Most businesses pass those worries along to payment processors like BitPay or Coinbase. It's still better because you can always in-source if you want to, so they have little leverage over you.
But yes, Bitcoin isn't an immediate replacement for cards for all online commerce. At least not yet. Volatility is a pain, but the current price is only about 5% off where it was a year ago. Presumably as Bitcoin gets older wild press-driven hype cycles will become rarer and the bubble/burst cycle of the past few years will calm down a bit. We'll have to wait and see.
I think better warnings about not updating would be good, something in the line "there are currently X known ways of compromising your system, please update to fix".
It was tried. Doesn't work. Lots of people don't even read security alerts. They just immediately find the X or close or cancel button and click it without even reading the thing they are dismissing.
The amount of time your average user wants to spend on maintaining their computer is zero. They have no notion that a computer is a thing that must be maintained and failing to do so can damage the internet. They just want to achieve their task.
The only correct way to do auto updates is automatically, silently, and not giving the user any choice in the matter. Everyone who has failed to accept this reality has ended up with their users running obsolete and insecure versions of their apps, and getting reamed in the court of public opinion as a result. If the Java team fixed their auto updater to be entirely silent and scrapped the Ask Toolbar malarky they'd have a pretty compelling platform still. But for as long as browsers are managing themselves and Java is asking permission, it will always lose.
Yes, that seems like a remarkably common problem and I'm not sure how people manage that. Serializing objects to the database? I guess if vendors get enough customer pressure to work better with Java updates they might put some effort into it, eventually.
But then the Java security holes are all sandbox escapes. You aren't using the sandbox for some enterprise time tracking app. So the need to update is less.
So basically, you either get to bundle the best app store and go fully Google, or you get to cause your end users issues by bundling the second best app store but get to use your own solutions for other things such as search.
I think we all see the surface parallels with Microsoft, but the problem is that all Android's competitors are significantly MORE tied and MORE bundled. Historically Apple hasn't even let people put apps on their own app store that compete with their built in apps! Don't even think about carriers shipping iPhone's with customisations, let alone Yandex - it just doesn't happen. Microsoft also don't even support alternative app stores on Windows Phone at all.
In fact, Google is unique in allowing such a huge degree of customisation and unbundling of the core components. Any outcome that results in Google getting in trouble for being dramatically more open than their competitors can only be the result of horribly broken politics, not rational and even application of law.
The card signs the transaction data once the PIN is presented (the ARQC). The PIN never goes to the bank, and a MITM should not be able to modify the signature on the transaction data. So I'm not sure why you think it's vulnerable to MITM.
You sort of imply that this shouldn't be the case? I'm no expert but just wondering how a crook could get a PIN other than lack of reasonable protection from the owner?
There are ways but they are all incredibly convoluted. One famous scam in the UK involved a complicated phone hack involving several actors. It worked like this.
Scammer A calls the victim and claims to be from the police department. They say that there has been an outbreak of carding fraud and the victim's card needs to be replaced. Now at this point many people's BS meters go off because fraud requiring card replacement is practically non-existent. But the scammers have a neat trick - they say, you're quite right to be skeptical, why don't you call the police department back and ask for $NAME.
So the victim hangs up the phone. But unknown to them, the other side doesn't hang up and in the UK the line only closes if both sides hang up. Now the victim picks up the phone again and hears a fake dial tone played by the other side. They dial the number of the police department and hear a fake ringing. They talk to another scammer (different voice) who pretends to be a switchboard operator, who then routes them through to yet another scammer who pretends to be a detective. All on the same phone call as the first one.
The victim is now convinced that the fraud is real, because nobody could beat the callback check right? And the switchboard sounded very convincing. The detective tells them that a courier from the bank will come round to their address and issue them a replacement card soon, and the bank will be in touch shortly. At this point they hang up, now convinced. Yet another scammer phones them and claims to be from the bank. They ask for the PIN so the replacement card can be programmed correctly. Victim gives them the PIN. Then the final scammer rocks up on a motorbike with some fake delivery company logos and hands the victim a real-looking but useless card, taking their real card (with PIN) from them. Emptying the card up to its limit via an ATM happens shortly afterwards.
I don't recall who ended up being considered liable in this case, but I think the banks covered it just to avoid the bad PR. IIRC the crooks got caught anyway.
Slashdot Mirror
It means it makes Chrome more secure.
This sort of thing is why Debian is so often seen as a realm of knee jerk lunatics. Debian isn't keeping up with features Chrome needs to be more resistant to browser exploits (which are used to install ACTUAL spyware) and the answer is "Chrome gathers statistics on how it's used so it's evil and we don't care if it breaks". WTF?
Unfortunately the amount is fixed in dollar terms and does not automatically adjust for inflation. When that exemption was set it was considered a large amount. However currently it's $97,000. The dollar is not an especially strong currency. That's about 60k GBP+. You can earn more than that just by being a decent computer programmer in London. And of course the OPs kids don't have to worry about the threshold today but rather in 20 years. There is zero incentive for Congress to be lenient here because now they have FATCA they can actually collect tax from anywhere in the world - it's taxation without representation which is ideal for them.
The USA charges its citizens for evacuation, unlike all other countries in the world who also evacuate their citizens from trouble zones ..... for free.
These costs have bankrupted people in the past, leaving them wishing they had not been "rescued".
US citizens are becoming systematically toxic and are treated like shit as a result, especially by the financial system. FATCA is a completely insane law and has resulted in banks around the world terminating accounts and refusing to make loans just because someone is a US citizen or has a green card. And unfortunately what many don't realise is you cannot get out of US citizenship just by paying a few thousand dollars as the summary suggests. There is a crippling exit tax that forces you to pay tax on the assumption you just sold all your assets. It's a form of capital control, except one you cannot escape from due to the long arm of the US government. Even better, USA can decide that the citizenship revocation is invalid if they think it was done for tax reasons. They can just keep forcing you to pay taxes forever, if they want to. It's basically modern slavery.
My advice to the story submitter - don't do it!!. US citizenship is already dramatically worse than citizenships in other civilised countries and it's getting worse every year. In fact it's akin to a form of slavery. US citizens abroad have no functioning representation in Congress and they are routinely exploited as a result, citizenship based taxation being only one example.
Swedish and Belgian citizenship together is a perfect combination! Why would you want anything more?
The important thing about Electrolysis isn't performance, it's that it will allow them to finally sandbox. My respect for Mozilla has lessened over time (and I used to be a minor contributor, back in the early days), partly because they don't seem to care about security as much as the Chrome team do. Chrome prioritised sandboxing over many other things and is a lot more robust as a result. Firefox is still just one JS engine exploit away from total ownage of the running system.
That article says the autopilot was disconnected and "[The investigation] will help us to understand whether there was a problem with the Airbus or in the training received by flight crew in manual aircraft handling at high altitude."
In other words they don't know what happened, but at the time of the near stall the plane was no longer under the control of the auto pilot. BTW if a plane suddenly finds itself overspeeding, climbing to lose speed is the right thing to do.
Can you cite one please?
Not quite. It's "yes" because most people would be unable to get over their fear of flying in an entirely autonomous plane, not because we need heroic pilots to override the computer when things go wrong.
Consider that about half of all aviation accidents are traced to pilot error. The percentage of crashes caused by autopilot error is zero.
Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash.
The fact that this practice is widespread in the Linux world originates from the usage of insecure FTP mirrors run by volunteer admins. There it's possible for a mirror to get hacked independently of the origin web page. A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.
A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right ..... the firmware itself. To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.
BTW call a spade a spade. Equation Group == NSA TAO
The issue with Silent Circle isn't their jurisdiction. It's that their code is of deeply questionable quality. They recently had a remote code execution exploit that could be triggered just by sending a text message to their phone. It's been literally years since one of these affected mainstream software stacks, so how was that possible?
Well, they wrote their own SMS parsing code, in C, and used JSON to wrap binary encrypted messages and there was a bug that could cause memory corruption when the JSON wasn't exactly in the form they expected.
The amount of fail in that sentence is just amazing. They're a company which justifies its entire existence with security, writing software to run on a smartphone where the OS itself is written in a memory safe language (Java) and yet they are parsing overly complex data structures off the wire ..... in C. That isn't just taking risks, that's playing Russian roulette over and over again. And eventually it killed them. Remote code execution via SMS - ye gods.
After learning about that exploit and more to the point, why it occurred, I will strongly recommend against using Silent Circle for anything. Nobody serious about security should be handling potentially malicious data structures in C, especially not when the rest of the text messaging app is written in Java. That's just crazy.
I think the Gemalto response seems reasonable, actually. The documents suggest they weren't doing anything more sophisticated than snarfing FTP or email transfers of key files, which Gemalto say they started phasing out in 2010. And the documents themselves say they weren't always successful.
NSA/GCHQ are not magic. They do the same kind of hacking ordinary criminals have been doing for years, just more of it and they spend more time on it. If Gemalto are now taking much better precautions over transfer of key material and the keys are being generated on air gapped networks, then it seems quite plausible that NSA/GCHQ didn't get in. Not saying they could NEVER have got in that way, but these guys are like anyone else, they take the path of least resistance.
Besides, it's sort of hard for them to do something about a hypothetical hack of their core systems that they can't detect and which isn't mentioned in the docs.
It's hilarious. For a moment I wondered if the transcript is even real. This makes Eliza look sophisticated.
He seems to believe, "I think we can work through this" is an acceptable answer to a simple yes/no question. The guy doesn't even have a coherent answer to one of the most basic and obvious questions he could possibly be asked. I thought Comey did a poor job of explaining his position but this takes it to a whole other level.
Why would people not report a SIM as stolen currently? They have every incentive to. They'd need to do so, to get their old number back anyway.
But seriously, if you're a terrorist, you're not going to be fazed by just doing some street muggings to obtain cell phones first. It doesn't matter much if the cards get de-activated a day later. Heck, just point a gun at a SIM vendor and force them to activate the cards with fake data. If the vendor doesn't have the IMSI codes for every SIM in their inventory, they can't even report them as stolen.
.... solution is more registration?
The judicial system is, at heart, a method of resolving disputes. Sometimes those are disputes between civilians (civil suits) and sometimes they are criminal cases, disputes between people and the state.
The most obvious and easy place to start is with small claims courts. Commercial arbitration handles many disputes that would otherwise end up in small claims courts, but we don't exploit this anywhere near enough. Most people just rely on their bank to act as a dispute mediator via the credit card chargeback mechanism, but this is a one-size-fits-all solution and banks are often not good at mediating disputes. There's lots of fraud and problematic outcomes.
The place where most of the better-law-through-tech research is happening right now is the Bitcoin community, because of the general focus on decentralisation, global trade and frequent desire to avoid relying on government. So we have for example BitRated which is a platform for doing dispute mediated Bitcoin transactions, where anyone can be the dispute mediator. So you can get a fluid, international market of specialised judges who are experts in very particular types of transactions, like software contracts etc where "I didn't get software of sufficient quality" is not a dispute that makes sense to handle via a chargeback. And it can all happen over the internet.
That's a very simple example. More complex examples involve specifying a contract in the form of a computer program and then effectively having the program be the "judge". I wrote about how to implement this, again with Bitcoin, several years ago. The technology is not that complicated actually. The hard part is figuring out the right user interfaces to make it easy. Presumably only very simple and precise contracts could be managed that way, so there's still open research in how to craft these digital contracts such that you can escape back to human judgement if there's an exceptional case.
When it comes to criminal rather than commercial cases, probably the best way to apply technology to reduce costs is to allow remote lawyering. That is, you should be able to outsource your legal representation to someone who isn't physically present. They may be rather good and experienced, but just lives out in rural areas or in a country where the cost of living is cheaper. The issue here is not really technical but rather just institutional inertia.
The UK is putting its judicial system under tremendous financial pressure at the moment, to the extent that some criminal cases are just being abandoned because there's insufficient money to run them. They're (finally!) starting to experiment with allowing small claims court cases to be resolved over the phone, and also looking at decriminalising TV license violations to reduce pressure on the system. But you get the idea - the judicial system innovates extremely slowly even when being sliced to the bone. So don't hold your breath.
Zero day means the bad guys find out before the good guys do.
Snowden hasn't had any access to the NSA since he fled to Hong Kong.
However, the amazing thing about this dude is he was able to do full blown web crawls of the entire NSA and GCHQ intranets, including dumps/crawls of data he didn't have access to .... all without getting noticed or caught. He appears to have provided the journalists with what is quite literally a snapshot of their internal networks at the time he was operating. It's taking them years to go through it.
Rainbow tables only worked for GSM, which is now decades out of date. Most people are going to be connected to 3G or higher in urban areas (i.e. where all the action is), which isn't so easily hacked. Hence their interest. It's in the article, even.
Most businesses pass those worries along to payment processors like BitPay or Coinbase. It's still better because you can always in-source if you want to, so they have little leverage over you.
But yes, Bitcoin isn't an immediate replacement for cards for all online commerce. At least not yet. Volatility is a pain, but the current price is only about 5% off where it was a year ago. Presumably as Bitcoin gets older wild press-driven hype cycles will become rarer and the bubble/burst cycle of the past few years will calm down a bit. We'll have to wait and see.
It was tried. Doesn't work. Lots of people don't even read security alerts. They just immediately find the X or close or cancel button and click it without even reading the thing they are dismissing.
The amount of time your average user wants to spend on maintaining their computer is zero. They have no notion that a computer is a thing that must be maintained and failing to do so can damage the internet. They just want to achieve their task.
The only correct way to do auto updates is automatically, silently, and not giving the user any choice in the matter. Everyone who has failed to accept this reality has ended up with their users running obsolete and insecure versions of their apps, and getting reamed in the court of public opinion as a result. If the Java team fixed their auto updater to be entirely silent and scrapped the Ask Toolbar malarky they'd have a pretty compelling platform still. But for as long as browsers are managing themselves and Java is asking permission, it will always lose.
Yes, that seems like a remarkably common problem and I'm not sure how people manage that. Serializing objects to the database? I guess if vendors get enough customer pressure to work better with Java updates they might put some effort into it, eventually.
But then the Java security holes are all sandbox escapes. You aren't using the sandbox for some enterprise time tracking app. So the need to update is less.
The fierce competition for Google Play is the iPhone app store.
I think we all see the surface parallels with Microsoft, but the problem is that all Android's competitors are significantly MORE tied and MORE bundled. Historically Apple hasn't even let people put apps on their own app store that compete with their built in apps! Don't even think about carriers shipping iPhone's with customisations, let alone Yandex - it just doesn't happen. Microsoft also don't even support alternative app stores on Windows Phone at all.
In fact, Google is unique in allowing such a huge degree of customisation and unbundling of the core components. Any outcome that results in Google getting in trouble for being dramatically more open than their competitors can only be the result of horribly broken politics, not rational and even application of law.
The card signs the transaction data once the PIN is presented (the ARQC). The PIN never goes to the bank, and a MITM should not be able to modify the signature on the transaction data. So I'm not sure why you think it's vulnerable to MITM.
That's not correct. You can tip using chip and pin.
There are ways but they are all incredibly convoluted. One famous scam in the UK involved a complicated phone hack involving several actors. It worked like this.
Scammer A calls the victim and claims to be from the police department. They say that there has been an outbreak of carding fraud and the victim's card needs to be replaced. Now at this point many people's BS meters go off because fraud requiring card replacement is practically non-existent. But the scammers have a neat trick - they say, you're quite right to be skeptical, why don't you call the police department back and ask for $NAME.
So the victim hangs up the phone. But unknown to them, the other side doesn't hang up and in the UK the line only closes if both sides hang up. Now the victim picks up the phone again and hears a fake dial tone played by the other side. They dial the number of the police department and hear a fake ringing. They talk to another scammer (different voice) who pretends to be a switchboard operator, who then routes them through to yet another scammer who pretends to be a detective. All on the same phone call as the first one.
The victim is now convinced that the fraud is real, because nobody could beat the callback check right? And the switchboard sounded very convincing. The detective tells them that a courier from the bank will come round to their address and issue them a replacement card soon, and the bank will be in touch shortly. At this point they hang up, now convinced. Yet another scammer phones them and claims to be from the bank. They ask for the PIN so the replacement card can be programmed correctly. Victim gives them the PIN. Then the final scammer rocks up on a motorbike with some fake delivery company logos and hands the victim a real-looking but useless card, taking their real card (with PIN) from them. Emptying the card up to its limit via an ATM happens shortly afterwards.
I don't recall who ended up being considered liable in this case, but I think the banks covered it just to avoid the bad PR. IIRC the crooks got caught anyway.